Your description was very close to how it works, Many cars store the mileage in more than one location, this particular module is setup for a mercedes to stop the dashboard getting an updated mileage from another ecu in the vehicle, not necessarily the engine ecu, it could be from the ABS, LCM or even SAM modules(other places store it too but these are the main ones). Many modules have access to the vehicles mileage so that when a fault occurs they can log the fault code, time, date, mileage, etc in the fault log. The car this was removed from probably had the mileage "corrected/cheated" to a lower value before it was sold and this module was to stop the dashboard getting the updated mileage when the key was switched on, the module filters out the data containing the mileage from other ecu's but it cannot correct the data to show 40,000 km less, that had to be reprogrammed into the dashboard itself. A genuine use for these is if you have some modules damaged by water/voltage surge/take your pick and need to replace them with 2nd hand units, if they came from a vehicle with higher mileage than the one your repairing then you would use a module like this to stop the dashboard loading the higher mileage into its memory, the dash will automatically increase the mileage value but wont lower it if you change the module back(BMW cars do this also). Using the vehicles reg to do an online MOT check will usually show issues if the mileage has been tampered with. We work on vehicle electrics here daily and have many problems with canbus systems, mainly due to condensation on the connectors & pcb's, it takes very little damp to bridge the can data wires to power wires and raise the canbus voltage above operating limits, but as the can network covers the whole vehicle it can take a long time to trace where the fault is, eg. landrover immobiliser & engine communications faults are regularly caused at the rear of the vehicle in the electric parking brake pcb, Mercedes canbus problems often are with damp underneath the drivers feet mat or in the boot beside the spare wheel. Its very interesting work but it causes some headaches and makes a weekly pub visit almost essential. P.S. Removing this module most likely didn't do anything to fix the cars warning lights unless the module itself was faulty.
Thanks for that, Im glad it made sense :-) its interesting that those of us with similar interests all end up watching Big Clive taking the same stuff apart
@@Firecul - But one might desire to have their cake, and eat it too, by claiming higher miles to the taxman, then when the car is sold on, lower the miles back to the true number, or even lower as this device did.
Very interesting. I install remote starters in vehicles and these types of circuits that peel out a signal or useful control for the vehicle are referred to as 't-harnesses'. When I use a t-harness its typically to give me the information I need in order to control the car and running it down to a plug that interfaces with my remote start brain. This is the first Ive seen of something like this, very interesting, thanks for sharing. Edit: also on the pcb itself, S4 would be for an audi W22 and w166 are mercedez bens chassis codes
If it was a mechanical odometer it may change the value for the stepper motor without affecting the speedometer if that possible. If it’s electronic, I believe the odometer display is stored in the ECM.
@@Punky-Boy I wouldn't be surprised if all CAN bus comms inside high-end cars will be encrypted soon. Just like John Deere, it will require proprietary software to pair and authorize replacement parts.
@@misterprimeminister473 I mean, bad guys will always do bad guy stuff. You could fudge the sensor on the trans, wheel speed sensors, or... ya know... put bigger diameter tires on a vehicle - garbage in; garbage out. In the US, the insurance companies track and sell this data. They typically audit the sensor collected data against GPS data.
Yeah, more accurately the body model designations. There's good chance that each option fits far more car models than the ones printed on the PCB. They're all VAG after all.
Yes they are! 222 chassis is the Flagship model S class, The 166 chassis covers the middle to full size suvs what used to be the ML-GL class now I think they are GL and GLC.
@@PenZon Ah, yes, I knew this wasn't the complete truth I told and that the numbers are somehow related to the chassis/body or something like that, but I didn't know how exactly, so I left it with my little half-truth ^^; .
The dominant "0" implements an ID priority system. When 2 devices write at the same time, the smaller ID will override the other one. This is sensed by each device and when it recognizes a difference between sent and read data, it stops and lets the other one continue.
i thought it was whoever wrote the 0 wins. the 0 is dominant. whoever wrote the 1 but reads the 0 will know to yield. that way the device that won the right to transmit doesnt have to restart his transmission.
I fitted one of these kinds of devices some years back for a friend with an imported Subaru Legacy B4 Blitzen. In this case it wasn’t specifically an attempt reduce the mileage but circumvent the speed limiter which came in at around 112 mph. When fitted it converted the speedo so that the km/h section of the dial then became the mph reading.
mine is chipped as well one that disables the active fuel management (gm's AFM does not even save gas it will just transfer the costs into expensive repairs so you end up saving nothing at all)
Those kind of devices worked differently in most cases. In older Toyota's at least, this was implemented by the vehicle speed sensor, which was a mechanical device that created a variable clock square wave pulse interpreted by the ECU. This was also sent to the cluster to drive the odometer by routing the same wire from the sensor back to the ECU. The odometer had no smarts, it just used to drive a small motor, where the square wave ended up being interpreted as variable voltage based on speed. The speed cut bypass was achieved by sending a square wave pulse back to the ECU at just below the frequency for the max speed. The dumb ones just cut the wire to the ECU, but that caused problems. The avast ones would look for a frequency above X and only modulate the signal down when the VSS was sending a frequency above the limited speed. This signal was usually generated by an NE 555. Similar approach but no CANBUS
This is what it says on the back - a CAN gateway. Messages received on one CAN interface will be blocked or re-transmitted on the other, and vice-versa. (Here odometer messages going in the direction of the instrument cluster will have their payload doctored to represent a lower value before being sent on.) These sort of things are used legitimately by vehicle manufacturers, usually to filter what messages can be read from the diagnostics port and especially to filter what messages can be sent from the diagnostics port onto the vehicle bus - which could be very dangerous. I really like this little board - whoever made it has done a neat job!
@J Jimenez You don't have to be a criminal to be interested in customizing your car's software. I read another comment of someone using a similar method to add a 'driver profile settings' functionality to their car, before it became more standard package. To quickly switch between settings of the mirrors, A/C, etc. for different drivers in the same car, basically. I could also see some diagnostics functions for the enthusiast. If they are looking to learn a bit about this stuff. Could prevent some trips to the mechanic's, in the right hands. Ofc people also use this to rip you off, but that's not gonna change anytime soon, now is it? Learning about that stuff does change things however. (allows you the opportunity to check for this stuff, for instance)
@@FroggyMosh exactly! I am annoyed that the panic button on my key fob sets off the horn, but does not shut down the engine.... I remember back in the late 70s when car alarms were rare and expensive we saw someone stealing a car in a restaurant parking lot, horn was going off for 20 minutes.... 80 some people standing around watching, no one called the police... now that you hear one going off every 5 minutes or so, effectiveness of a horn alarm is zero unless you (the owner) are within hearing distance. I want to have the horn (when oscillating in alarm mode) trip a circuit that will disable the car so it's not moving unless it's towed... also effective for car jacking...
@@rosebarnes9625 Any decent alarm system will have an immobilizer. Though with modern keys having chips in them. Cars are basically impossible to hotwire. The car will just refuse to start without the correct cryptographic key.
@@2009dudeman you missed my point.... the panic button on my key fob sounds the horn..... that's it.... If I get car jacked, I want the panic button to shut off the engine, not sound the horn while he drives away....
@@rosebarnes9625 If you get car jacked, and for some reason you kept the remote but not the key. Shutting off the car when they are 20 feet away is going to cause them to get out of the car, pissed off and come back 20 feet to beat the crap out of you. Or just crash the car into something like they do with baitcars when those get shut down while they are driving. You're better off just putting lojack or something on it and having the police follow them to where they are parking it.
I used to have a very similar device about 12 years back, they can be used for many things, not just illegal ones. Have you seen the feature on cars to program in two sets of seat/mirror/etc settings for two drivers? Before that was standard, I made my own with a device like this. It intercepted dash controls to watch for a trigger. If I had the accessory on but engine off, pulled forward on the high beam lever twice, I could then hit turn signal up or down, each being a different seat, mirror, ac/heat, etc profile to change to. I suspect that's why the build quality is so high. Whomever programmed it for its illegal function probably just sourced the hardware elsewhere, programmed it for this task, and resold it labeled for this purpose.
Unfortunately, these are sold on Aliexpress and on other websites as "odometer correction" devices, so I doubt they're being used for a legitimate purpose. Interesting that you bring up memory seats - Wasn't that a common option on many cars before OBD-II was even standardized? I'm pretty sure you could get Buicks, Oldsmobiles, and Cadillacs with that feature as early as 1982.
You could certainly get those features, but here (US) they were never "base package" options, they always cost more and/or were on the higher end models. Plus I am very frugal when it comes to cars. But a cheap $20 OBD-II micro and the chance to learn how the bus works in general and I was beyond happy. Not to mention the fact I was the only cars driver and didn't even need seat profiles :P It was more about learning to hack on it for me
Indeed, the fact that you could re-program it suggests it has legal uses as well. Just this particular one isn't so legitimate. A multi-purpose device that in this case was on the naughty side
Here in the states when I was a young child, my father worked as an auto mechanic and I remember him bringing home the “analog” ancestor of such a device he found installed in-line with a cars Speedometer drive cable. About the size of a D cell with a couple on each end. It contained a set of planetary gears that would down-covert the cars speed measurement from “Miles per Hour” to Kilometers per Hour." So if you were going 60 MPH for one hour the Speedometer would only indicate a little over 35 MPH, and likewise, the Odometer would only increment 35 miles, not the 60 miles traveled! What is more by that time most American vehicles had speedometer's that indicated both MPH and kM/h so the driver could just use the kM/h scale to accurately know their true speed in MPH.
Michæl Alan Baker My fathers 1976 GMC pickup had one of these devices as well, except it was marketed for use to change the indicated speed as he used larger tires than what came on the truck. It was used to correct the speedometer, not cheat it.
as a professional mechanic & electrical enthusiast this was very interesting. a good example of why I subscribed; all the random electronics you find and show.
@@Jimmeh_B one time I made a circuit that disabled all the abs & wheel speed sensors so that the car could go above the factory limiter @ 115mph. it had the side effect of stopping the odometer & speedo from working. but it was on my car & I checked the odometer discrepancy thing on the title just to be safe. the circuit was just N.C. relays at every sensor, all powered from a switch under the dash. when on they all interrupted each sensor. the car couldn't tell how fast it was going so it didn't know when to limit speed. just used a gps speedometer app and away you go.
@@Jimmeh_B haha that's funny, I am the same way. my girlfriend's car has traction control you can't shut off. so I always pull the ABS fuse when I drive because it disables all of that shit by the one fuse. edit* especially during winter. once you practice it's fun to keep the wheel truned and pulse brakes to alternate between sliding straight & turning
The dominant state in CAN bus is a 0, so the lower node or message ID gets higher priority, so message or node 0 has the biggest priority and will 'win' any collision if two nodes start transmitting at the same time. Technically the dominant state could be a 1, but the the highest priority ID would depend on implemented specification (CAN 2.0A vs CAN 2.0B).
@@millomweb There's no bus clock line - the bus is asynchronous, it means that every node generates it's own clock, roughly equal to bit rate, and during communication any node receiving a frame synchronizes it's own clock to the clock derived from the transitions in the frame. There's also bit stuffing mechanism to ensure transitions are separated by max. 5 same bits. More pretty good info you can read on Wiki.
That explains why the E-class was throwing codes -- if this was designed for an M-class and they installed it on an E-class, it's probably hosering some of the data.
Pity there isn't an "AS" - for auto select - surely you can tell what 'car' it is by asking the ECU ? (No, number of wheels, body shape etc. irrelevant - what car in terms of electronic control !
16:33 Maybe you can. Mercedes writes any changes on the can-bus to a log every 10 miles. I remember it because one victim of airbag/radio theft decided to drive his car to a shop and practically strip the interior before reporting it. The shop then saw that the seats, radio, dash etc etc were disconnected after the car had been driven and pieced one and eleven together: insurance fraud.
That's fascinating that the mileage suddenly changed when it was removed. That means the ECU is accumulating the mileage and storing it locally in a non-volatile flash or eeprom to make the vehicles mileage inaccessible to most modifications. Reminds me of the "black box" functionality I found while reverse engineering some GM OBD-II ECU software. The ECU keeps a rolling buffer of vehicle telemetry data (speed, braking, engine parameters, pitch/roll/yaw data if available, etc.). In the event you crash the car, the entire buffer is dumped to the flash memory to tattle on you and investigators can then tell exactly what you were doing in the moments leading up to the crash.
Not sure if you’ll see this, but here comes a few Q’s... 1. Any clue on how a device like this would interact w/ an analog odometer *when removed* ?? Would the rollers spin away until the true ECU recorded miles were displayed? 2. Is there an available database that lists all vehicles that are outfitted w/ this big brother black box? I have a 2015 Wrangler JK - electronic amenities aren’t exactly the focus - So I feel if there ARE some more modern vehicles that do not have a BBox, it would be one like mine. On the flip side, if mine DOES have a bBox, then it’s safe to assume ALL vehs do.. which is very annoying. 3. Have you figured out any more cool tricks since this 2 Yr Old comment???
@@flojotube Depends on how the odometer is driven. If it’s cable driven then they spin away regardless. Analog gauges with a digital odometer will potentially be effected depending on how it is stored by the vehicle. Not all ECUs have the BB feature. I have a 99 PCM from a GM/Isuzu gas truck in my 88 Camaro with a PFI conversion that does not have it. But I have another from a Firebird on the shelf that does have that option to record data to the internal flash of the airbag deploys. It can be disabled, at least in the GM ECUs I was working with. I can’t vouch for the Wrangler. It may be there, and a search on the ‘net might help. Keep in mind it’s not comprehensive like one for a passenger plane. It simply records things like speed, vehicle status, if the brakes are applied or not, etc. In a standard crash it’s not much of a liability, but years ago someone did get burned by it when they were speeding in a corvette and crashed. As long as you don’t plan on speeding it’s not an issue. A bigger concern is if the vehicle has connectivity (i.e. OnStar for GMs). Those seem to be VERY intrusive. I think I have even had them do stealth reflashes in the middle of the night. Get in and the car will have different features enabled like suddenly having auto start when the key is turned. I have heard the HVAC actuators some on randomly when I had my window open while sleeping. This is indicative that the vehicles ECU/BCU are active for one reason or another. I would consider removing the cell antenna and associated electronics if you can and have such concerns. But that is not an easy task since it’s tied into the CAN bus and other controllers interface with it.
@@flojotube All 2012 and new vehicles in the US have black boxes, I know because I had a 2011 and it was 1 out of the 5 models that sold in the US that year that didn't have one.
years ago I had a boss who had me and another co-worker install a switch into his leased car. The switch replaced a fuse that powered the dashboard and the odometer. What he would do is get out on the highway, engage the cruise control and then disable the dash and odometer, presumably saving money on his lease.
@Dave Micolichek Correct. One of the cars i have stopped counting on the dash at 299999KM, but i have the option to take it in and get it flashed to the right mileage because its still stored.
@@JackReacheround Toyota? The older Corollas and Prius have a glitch in the odometer that make them stop counting at 299,999. It doesn't matter if it is in miles or kilometers.
they're actually used after changing the mileage in the cluster via an eeprom dump, it blocks CAN signals to stop the dash synchronizing with the EZS module and putting the mileage back to what it was before (info is stored in both and it will "correct" itself to whichever number is higher)
@@boonedockjourneyman7979 Yes, I was wondering why there doesn't seem to be any efford to make that kind of attack more difficult. This seems less safe than a physical lead seal.
@@TheYear2525 CAN allows you to send eight bytes at a time. CANopen structures this a bit, so now you have four bytes header and four bytes data. There really isn't that much space for any authentication. For authentication to be of any use, the signature would have to be added to the message itself, and I know of no crypto suite that would fit in those size constraints. And if you want the dash and the ECU to exchange magic packets, then this device can just forward those. CAN is made for low-bandwidth real-time communication. The various sensors need their guaranteed bandwidth to send the data. Also threat models: No hacker gets into the CAN without physical tampering, so why waste resources on security? This particular attack only changes one part of the display. It does not, for example, disable the breaks. So no safety hazard. And only a safety hazard would motivate the manufacturers to do something about it. And that would likely be a seal of some kind, since that is still cheaper than changing the software of every single sensor, ECU, dashboard and radio on the CAN bus. Oh yes, these days the stereo is on the CAN bus, to see when you use the steering wheel buttons. Maybe a criminal hazard (fraud), if the buyer ever finds out.
I remember a case where a used car dealer was brought up on charges for "rolling back" a speedometer..(that is how the law was written)..in the days when cars used mechanical speedometers. At the trial, they had him cold with all their evidence. But he threw them for a loop. He rolled the speedometer "forward" until it 99,999 miles and then it all went to 000,000 and then he went a bit further and shaved off 40k. He walked and they had to reword the law.
I have never seen a law that is that poorly written ;D In Germany there is no specific law for it, but it is "computer fraud", which basically means manipulating data in a computer to gain financial benefits. We do not care if you go back, go forward, or in which order you do it ;D
@@bigclivedotcom I've found this, which seems extremely similar. www.truckdiag.com/shop/can-gateway-can-filter/ Quite a few other interesting devices on that site :)
8:44 - "It's actually quite well designed." Probably so that it minimizes any technical issues it might cause. You wouldn't want this causing problems on the network thus causing a technician to find it.
HappyQuails well I’d say given how the device works, it worked pretty well for a considerable time of it managed to shave 25,000 off the mileage. Either it failed and caused an issue with the CAN or it was just found by chance when then mechanic was investigating the other issues.
These are somewhat common in Central Europe (basically every car has had the miles clocked). Although the drawback I’ve heard from a few people is that the dash (even on a modern car with a fully digital dash) will display the speed wrong, presumably lower than reality so the dash doesn’t think you’ve travelled so far.
Hmmmm, I think I see how it works (7:00) but Merc have got wise to the 'mileage correction' game for a while now, the mileage is stored in 3/4 different places, the ECM (engine ecu), EIS (electronic ignition/key (yes the mileage is stored in the key)) and the IC (instrument cluster). If the mileage is significantly higher in any of these 3/4 places the rest of the modules will adopt the higher mileage. This has happened to a customer of a garage I used to work for where they used one of their spare keys and the mileage jumped up by 50,000 miles
How is that even possible it would mean the Old key would have had to travel 50000 miles in a another vehicle. My brother is a locksmith and we retrieve the data off of a key to find there is no mileage being stored on the key what we did find was a counter that was counting down the amount of times you could use the key before it would deactivate itself.
@@obviouslytwo4u The mileage had been 'corrected' and the previous owner had probably not supplied the spare key when the mileage had been changed. The car wasn't in the best of condition either with lots of stone chips and corrosion here and there so the actual mileage may have been even higher than the additional 50k as the key stored the mileage it was last used at
@@obviouslytwo4u amount of times a key can be used on a car? That sounds like a pain in the ass waiting to happen. Actually that would give me anxiety and I'd try to get rid of that. Unless you're not talking about a car key.
This isn't reprogramming the mileage value with a lower value, this is reducing the amount that is added. Therefore mileage data would be consistent in all storage devices. You couldn't use this to give a car a "haircut" (as the trade call a car with the odometer wound back), you stop the hair from growing as quickly.
@@renyn21 He's talking about manufacturers programming keys to self disable after X number of starts, to force you to buy a new $300 Smart key from the manufacturer. (after the warranty expires, of course.)
Makes me wonder though, is my State the only one which requires an odemeter reading be written on the title when the vehicle changes hands? I am aware that these are actually entered into the State DMV computer, the computer kicks them back if the difference does not make sense, for example if the car went back 30 thousand miles from the last sale, the title would be frozen till the State Highway Patrol did a basic investigation. (I was a cop for 24 years,)
I'm commenting 19 months after this was posting so it may have already been posted - but the Mercedes W166 chassis is the GLE class SUV, and the W222 is the S Class from 2013-2020. So they got you covered, just jumper the coded pads on the bottom right. S4 is likely Audi and the BMWs might all be the same.
CANbus in vehicles (Beyond the engine and transmission) started with the power windows. Vehicle manufacturers had reached a point around 2000 in shaving weight where all the low hanging fruit was gone. They were shaving weight because of the MPG requirements of the EPA and other regulatory agencies around the world. At some point, I believe it was Chrysler... an engineer said in a meeting, what about the power window system? At the time a power window system had wires looping from door switch to door switch all over the vehicle, wired basically like 3 way switches in a house. This system had well over 200 pounds of wiring, JUST to control the windows!!! Easch door had a thick bundle of wires going into it just to control raising and lowering the windows, since all doors were connected through the main panel on the driver's door. This engineer realized he could reduce the wiring in each door to 12 volt power and ground, and two thin communication CAN wires looping around to each component of the window system within the door - a total of 4 wires passing into the door.... So instead of 12 volts in a heavy wire going from the drivers door to the passenger motor to drive it. The drivers door switch module puts commands on the CANbus to tell the passenger door to roll down. (on some vehicles the modules talk directly, on others it must go through the ECM). Thus, vehicle wide CAN control was quickly adopted throughout the vehicle, on some vehicles to include things as basic as brake lights and turn signals.... All, in the interest of losing weight in the wiring harness for fuel economy as well cost savings reasons. By doing this, they reduced the over 2 miles of wire required in a late 1990's vehicle to less than half that by 2008. But I digress... as for this little gem... No bit banging... with proper construction of the circuit and hardware to meet CANbus communication standards... Well done !!!! except for, wow that's LOW.....
@@shmehfleh3115 yep, it was used on factory floors for many years. It is nothing but RS-422. The first diagnostic connectors were introduced around 1990 and were very basic (the ALDL... a basic serial connector with hardly any data) J1850 was introduced in 1995 1/2 on both GM amd Ford, with dodge continuing to use its old serial bus but with a J1850 style connector ... till roughly 1997-1998. (Confusin as heck huh) the J1850 was fine for engine control but only ran at 9600 baud so it's use was limited to very basic functions. Later, the J2284 with 112k baud came out by demand of the manufacturers so they could expand the bus as I described and connect more devices without bogging it down.
The old way of fudging miles was to disable the cluster, you would loose all output information on the IC. guys would install a external programmer into the DLC and use that as there cluster. things have changed now due to the fact that most ICs contain the vehicle security module. very smart little gadget if you ignore its intended use. I actually have a module that us used to provide feed back information for the new electronic power steering systems. if your interested in taking a look at it let me know, i can also get you all the relevant OEM wiring diagrams CHEERS!!
The old old way was to take the dash out and use a screwdriver or such to roll the numbers back, or all the way around, without scratching them up or making them horribly misaligned.
It makes totally sense. The jumper in the lower right say "W222" (Mercedes S-Class) and "W166" (Mercedes M-Class). It makes sense to manipulate the mileage of these models, as they are the biggest factors for resale. That moves (with us) in the area of a clear imprisonment because of "heavy fraud".
I'm guessing the circuit board was developed as a generic device that could be programmed for whatever use the owner needed and was then used by someone nefarious to defraud car purchasers.
No I think they're purpose designed for this - someone above has linked sites selling them in bulk. There are even expensive devices that reflash the ECU and dashboard with new mileages etc.
the bottom right side of the board (looking at his big photos) has solder joins labelled for different versions of the protocol, i would guess that this is purpose built for "being naughty" as clive calls it although, you could repurpose it as something else that used 2 separate can busses and only 4 other IO (the 4 protocol choices are just gpio, could be configured as input or output) stm32 microcontrollers are really nice/easy to work with (although the can bus speeds are a bitch to get at first)
the CAN bus has 0 being active due to how the CAN bus handles Arbitration; i.e. what happens when two devices go to talk at once. Each CAN message has a priority code which works as follows; lets say we have three nodes that want to transmit at practically the same time, one of 3 (0011) one of 1 (0001) and one of 5 (0101) rather than messing with baud rates lets just say call each step a Tick; first tick; All send the first bit, this is 0 for all of them So they all go high, and the bus is high They all check the bus value and all see it is high So they all transmit the next bit, this is 0 for all but the last one for which it is 1 so the first two go high, and the last one goes low as such the bus goes low! they all check the bus value and the last one sees the bus is not the right level and goes into receive mode finally the first two transmit again the bus goes low and the first one drops out to going into receive the remaining node transmits it's remaining bit, sees no conflict (which as its the last bit would otherwise produce an error) and transmits its data onto the bus
It's a node broadcast on the CAN if they adhere to standard protocols, a dominant controller will be allowed a specific number of Ms per second to broadcast it's information, some are 1Hz some are 5 or 10Hz depending on the data priority. A dominant controller can pull voltage to 12V on some systems to tell others controllers a fault has occured, some use 5V on CAN HI for this signalling. It can be 100 meters long with hundreds of nodes on the same bus. 2 120Ohm resistors, usually "active" termination are installed along the way.
The adjustable slew is used to "relax" the leading and trailing edges of the CAN signal. It cuts down on unnecessary noise. Anyone who has ever lived through DeviceNet knows what happens when the slew is set for "Flat out". :)
@@SteveJones172pilot Yes it does, and it certainly helps in that regard. And DeviceNet is an abuse of the CAN spec in the first place, so it needs all of the help that it can get. FWIW, my Railstar Io CAN boards have their slew rates "hard-coded" into the board by way of resistors (RC time constant). www.dcctrain.com/shop/item.aspx?itemid=6273
Back in the day, ‘clocking’ was rampant amongst the back street car traders...the Arfur Daley’s. The U.K. introduced a mileage statement on each MOT. so I’m not sure if it can still be fiddled or not?
Some vehicles will store the mileage in both the cluster and ecu, and in some cases other modules. ABS units will provide speed data and this is usually passed on to ECU, Instrument cluster and any other modules that need it via CAN.
"If you're getting illegal electronics you want to make sure they're made to good standards" 😂😂 Brilliant Clive. Interestingly, I had a BMW Motorcyle and due to their particular take on CANBUS you couldn't just plug your battery maintainer (e.g Optimate) straight into the 12v accessory output socket as it goes dead a few seconds after the ignition is turned off. So you actually need a special (expensive) version of battery maintainer. What I did instead is to unplug the wiring from the back of the pillion seat accessory socket, insulate and tie these back carefully (for easy reversal of my mod). Then I simply connected the battery (with a suitable in-line fuse) directly to the accessory socket terminals. Voilà! A simple way to use my standard Optimate device with this particular bike 👍
Pretty much any modern printer will print photos of that high quality. The source matters more. So if you use a high quality camera to take high quality photos, you can print them out in high quality in most printers.
Wow I'm not even a driver and I learned so much from this video. I have very basic knowledge about circuits and the explanations here filled in so many little questions I had. Thanks for that.
"Keep in mind that their function is to reduce the apparent mileage of a vehicle, and this may be a criminal offence in some countries." It definately is in the Isle of Man, and in fact the UK :-)
It's not an offence until you sell the vehicle with an illegitimate mileage to a buyer without telling them the mileage has been lowered. It seems here that the device has been used in illegitimate circumstances
@@stevieg_306 But it's not an offence to sell a car with 50k on it if the car had an engine replaced without the buyers knowledge. It happened to me and trading standards told me 'tough luck m8'.
Somebody may have already said this, but the four pads on the bottom of the board (and that are present in many devices that use microcontrollers, generally directly adjacent to the mocrocontroller itself and traceable to either a serial interface or serial programming pins. They are intended for programming the chip during manufacture. The chips are almost always soldered to the board directly from a tape reel or whatever, and programmed after they are installed with a clip or a jig specific for the purpose. If it's four pins that look like this board It is almost certainly RS232, and if the chip isn't an OTP model (or a model with a one-time program option for which the fuse has been tripped by the manufacturer) you should be able to connect to it with a device as simple as a RS232-USB converter. It's easiest to just remove the DB9 connector and solder a couple of wires to the 4 serial IO lands on the board, then of course attach them to the corresponding pins on the target board. Depending on the software the microcontroller is running and/or the configuration of the internal flash rom (and how the physical pins on the board are hooked up) one can almost always get by using the program flashrom in linux (available in nearly every distribution's repository), or in more usual commercial products (wireless routers being an example about which there is much information and a great many guides/tutorials online) which were built with diagnostics/rebuild-ability/refurbishment in mind there is often even a telnet server running on the microcontroller that can be accessed how one might expect.
14:27 "i wonder who made it"!? All I could think of was... "well if u took it to the coppers to get fingerprints off it before u cut it open & touched it a hundred times, maybe you'd been able to find out?!? LoL LoL LoL
Thank you! As I'm watching I'm like someone has to have mentioned it... Because the entire time I'm watching I'm waiting to hear "Hi I'm Scott Maaaaanley"
If you want an interesting look into figuring out the special sauce for programming an ECU over CAN, look up Just4Trionic. Used it extensively while tuning my 1997 SAAB 900, to avoid having to take the ECU out every time I needed to program it (using Motorola's proprietary "BDM" interface; kinda like JTAG for the embedded Motorola 68K's). Unfortunately the 1994-1998 900's didn't have the CAN lines brought out to the OBD port, so I had to make a custom adapter cable for SAAB's proprietary 'debug' plug hidden behind the glove box. Neat stuff, especially given how old the SAAB Trionic 5 ECU design is.
As others have mentioned - it would be cool to get the hex dump of the ARM chip. Not sure how similar the process is for the STM32 chips, but for basic Arduino family of chips it's not too hard - as long as the fuses haven't been burned to prevent it. Put the dump.on paste bin and see what we can discover as a community. Perhaps it's really simple or mega complex ..??
Looks fairly well made, The messages are sent periodically, this is intercepting the odometer message and modifying the reading, the other messages will be relayed. The jumpers in the bottom right are to change the vehicle it's configured for W222 and W166 are Mercedes chassis generation numbers and there is BMW support. The CAN chips are Transceivers, the controllers are in the MCU itself. They'll have used Microchip as they are the cheapest in low volume. A CAN gateway is a device that bridges 2 CAN bus networks, bit like a router in Ethernet.
The bus termination resistor is also to stop the signal wave bouncing off the end of the transmission line and echoing back and forth. Like a rope tied to a fixed point and pulled a bit tight, twitch one end of the rope and watch a wave travel -- then bounce off the tie point and return. The resistor absorbs the signal instead. Slope control allows reduction of EMI and power supply peak draw in CAN bus networks with lower data rates (slower edges = doesn't transmit as much, takes less current to slew the bus voltage) and high speed operation for e.g. 1MBPS networks.
Til some genius invented... the ratchet! Actually it's surprising the counters would work going downward. The mechanism to increment the next digit, every time it goes from 9 to 0, surely wouldn't work in the opposite direction. It's possible to build a counter that can go in either direction, but you wouldn't, for a mile counter. Even before they put ratchets in (the trusting souls!), I bet it only worked on some cars. The rest you'd just have to disassemble, or maybe swap out with a counter from a scrapped car or something. I dunno, "Dishonest Car-Dealing Bastards Of Days Gone By" would be an interesting book to read.
i know on Lincoln's from the mid '90s the mileage was stored locally on the dash, i had a customer who pulled the dash fuse to keep the mileage low :/ and yes it worked
I bought a used car with a bunch of parts once, including a dash cluster... when I asked why the guy told me “It’s only got 50K on it, if YOU ever sell the car swap it in and make a few extra bucks” :-S
The 5 empty pins on the bottom of the board are for a micro USB connection. From left to right it is 5V, Data -, Data +, Mode Detect, and GND. That's how they programmed it. Likely it is programmed with Arduino but could also be Python. Judging by the CANBUS controller chips tell me it is Arduino. You can extract the code in binary and use a disassembler to convert the code.
For us old timers that is a Berg header plugged into a wire wrap header. I wonder if That ARM 7 is hardwired to simply subtract 40,000 km or does it compute a proportional mileage reduction, say 75% of actual mileage. Between seeing this and the GPS tracker gizmos found on used cars glad we buy ours new and use them until the wheels fall off.
Very interesting, I may have to check this out as my car lost 40k miles when I disconnected the battery. 63 plate audi. As you said in the video, very had to prove when it was done if this was installed.
I actually built a very similar circuit a few weeks ago. But in my case I did it to translate the data and that I could retrofit an instrument cluster from a newer car :-D
The polarity of the dominant and recessive bits is selected this way so that logically lower IDs have higher priority on the bus. That is, the message with the lowest ID will determine the state of the bus in case of a collision between two or more messages. Any tranceiver transmitting a higher ID will detect that the bus state doesn't match what they are trying to send, and will yield. This provides a mechanism of arbitration, which always allows the message with highest priority to get through.
In over 40 years of buying cars I cannot recall ever paying much attention to the recorded mileage. But then most of my cars come from a period when body condition was much more important and the greasy bits could be fixed relatively easily. Having said that, I did once go as far as replacing the luminous paint on the dials of a 1954 Pathfinder. On that model the instruments were lit via UV filters which gave a rather pleasing glow to them.
It seems like you should be able to hook up an OBD2 plug and read what the "true" odometer state is. (Assuming someone didn't go through A LOT of trouble to also intercept the signal going to the OBD2 plug.)
You are right about P1, its going to be a programming header they connect to with pogo pins. Pin: Gnd, Vcc or Rst, Boot0, SWD, SCLK. W222 and W166 are codes for various Mercedes models (S class M class). STM32F103 is popular with Arduino, the F105 not so much. But no way to be sure unless you find the original Chinese engineer who wrote the software.
looks too well designed to be done by someone who would use Arduino, they even went through the trouble of having 5V just for the CAN transceivers. S4 could be an AUDI
@@fuzzy1dk I disagree, I use Arduino and I could design a board that looked that good, maybe better, the real skill is the firmware and we can't see that. I say good luck to the hacker's
@@andymouse Right. Arduino is really, at it's heart, just a boot loader. There's also the standard pinouts for shields etc but the software will run even if you ignore and abuse that. The rest is a nice set of libraries and a big HAL. Not much in itself, it just needed someone to actually do it. The Italian fella did, fucked up a couple of pins, and consigned BASIC Stamp back to the cheap grave it kept trying to crawl out of. Now it supports Arm. Wouldn't be surprised to see someone compile Linux on it. Using some god-awful bit banged VGA display. I haven't even mentioned the Pi and it's siblings! Aren't things great nowadays! You could knock yourself up a half decent digital scope with a touchscreen LCD that fits in your pocket! For pocket money!
These are made and sold by a company called Abrites, and as described on the back it is a CAN gateway that repeats a lower mileage to the cluster. They do have a genuine use case in the automotive aftermarket in reusing second hand parts, because manufacturers make it (rightfully) very difficult to rewrite mileage data in any control module these emulator/gateway modules are most commonly used to reuse a second hand instrument cluster which may have had a higher mileage than the car did rather than any nefarious purpose.
At GM Holdens there was a discussion about encrypting HSCAN data for sensitive information - we pushed for ALL data to be encrypted to obfuscate all sensitive communications. GM didn't want to spend the money.
I already saw devices to defeat the engine/airbag/break system control lights in older cars. They were simple enough, timed switching of some sort and a small relay so the lights went on with the ignition and cut the power to them after 3 to 5 seconds so it looked legit. Same with soldering resistors to the airbag wires so the car doesn't notice a missing airbag after the old one was removed due to an accident/faulty airbag. They then usually just glued the plastic cover of the dashboard/steering wheel back on. One of the tricks you could only identify by disassembling this stuff (or if you're lucky the horn didn't work or having a hollow sound where an airbag should be). This just seems to be the modern iteration of those old scam methods. I wonder if they also get those things to stop modern cars from displaying errors in those little LCD panels in the dash. After seeing this video I guess they are able to figure this stuff out too.
I realise it's 2yrs later but... Back from the speedo gang connector Cut the wire feeding the check engine lamp then scotch lock it (tag on ) to the Battery /Gen lamp wire , wrap connector and tuck away from view inside the bundle . Fixed
One year further on and the MIL light still has a switched 12v signal from the ECU. The battery light has an ignition switched 12v feed from the battery and a negative that becomes positive once the alternator is outputting voltage. When there is a difference between battery voltage and alternator voltage the lamp lights. Doing what you suggest will just put the MIL light on permanently whenever the ignition is on and probably destroy the ECU when you back feed it with 12v on an output pin that is pulled to ground when the MIL light should be off. You would also create the potential for even more damage by connecting together 12v feeds that are both fed from different fuses/circuits. @@321CatboxWA
@@AndyMcGeever The check eng lamp is cut off out of circuit with the computer and hooked in parallel to the charge lamp , no back feed is possible . The check light comes on with the key and goes out with the charge lamp when started just like you would expect it too. It's simple and cant harm the computer . I've discovered it done to a chevy that ran great but had codes that never triggered the lamp .
@@321CatboxWA The ground on the MIL light is permanently grounded. The 12v feed to the alternator light is permanently positive when the ignition is on. If you connect the positive going to the MIL light to the positive going to the alternator light then the MIL light will stay on. The MIL light is grounded through the common ground in the instrument cluster, the alternator ground is a seperate conductor that feeds the alternator field coil and is no longer a ground path when the engine is running. If you connect the MIL light ground to the alternator light ground then you are shorting the alternator's field coil supply to ground. You would have to cut the trace on the instrument cluster to disconnect the MIL light's ground and then add a link to the alternator ground to do what you are suggesting.
@@AndyMcGeever The ck lamp hot wire was cut and tagged onto the charge lamp hot wire . Found it on a hunch , traced it , no back feed issues were observed and the charging system was working to spec. A potential dastardly way to disable a check light . I'm not advocating doing this . Results may very .
Mines so old it has a spinning cable running from the transmission to the instrument cluster. This attack wouldn't work (though there are other ways of faking mileage.)
I suspect they know the node address and data register(s) that contains the CAN data for the odometer on the different cars, the CPU is just acting as a gateway and filtering out the specific target register(s), the data for the odometer is then “massaged” to different values and the new altered values are sent out. The complex part is knowing where *all* the registers for the mileage data lie so you aren’t missing one. Somewhat analogous to old school software cracking.
@@bigclivedotcom haha. Yeah, I won't ask for more than that. I'm extremely grateful for all of your efforts. I love learning about this stuff. Thank you
@@rayraycthree5784 That's not what I was interested in. Dumping the roms of these chips is way too much work. I was simply interested in the awesome drawing's and circuit designs he outlines in these videos.
@@nathantron You cannot dump the ROM of this device because its read-protected. However the device itself can be reprogrammed, due to the fact of the real easy circuit. I have done some research recently and you can see my documentation here: github.com/EliasKotlyar/Canfilter It can be used as a legitimate dev-platform for retrofit installation, where you try to connect 2 components which are using different can-protocols. Also it can be used as a can-sniffer for seeing which commands are being transfered between a device and the car.
@@thomas316 "Harley-Davidson did not admit liability, and said previously it disagreed with the government, arguing that the tuners were designed and sold to be used in “competition only.” Yea, just like their "competition only" exhaust pipes that are used on the road.... ...maybe the "competition" here is what Harley owner can be the biggest loudest asshole????
You can rest assured that the real car geeks will already know plenty about every aspect of most vehicles communication protocols and how secure they are.
@@bigclivedotcom Secure - you jest surely It won't be secure (End to end AES256 encryption and authentication handshakes) until it becomes a legal requirement. Even then most manufacturers will fudge it and leave it with as many holes as a colander.
Like others have said, the w222 is a Mercedes S class and w166 is an ML. What I didn’t see mentioned is Mercedes models share CAN architecture. Theses two models CAN architecture cover the whole range of Mercedes models. From my experience these blockers do not cause error codes and are usually found by accident. There’s other control modules that redundantly store the mileage and you’re able to check the mileage in those modules with a MB scan tool.
A friend of mine bought 2 trucks from a local used car lot. She took one of them in for service and the technician came out and explained to her that when they went to smog the truck they pulled the milage off of the ECM or PCM and it was 200,000 miles more that what was on the Odometer. The truck had 400,000 some odd miles on it. She was not happy.
I used to work on equipment that had zero volts to represent a logic 1, this was so that you could connect two lines together to form an OR gate. It was known as a wired OR, and relied on the fact that zero volts would drag the +ve logic 0 down (up?) to a logic 1 (0v). It got really confusing as the newer equipment that came along used ICs and +ve represented a logic 1.
'-ve logic' is still very common. Ahh.. The days of 7401s and 7407s with open collector output for 'wired OR' (or NAND) depending which logic level you wanted 😁.
@@ColinDyckes In the early 1970s I worked on some Burroughs equipment that used quad dual input NAND gate ICs for all logic in the machine, bistables, registers, the lot. I later moved to ICL and then to MDS where I was trained on equipment that used TTL when TTL really meant transistors! I'm currently building some kit, which for old time's sake uses transistors and diodes, not a chip in sight, let alone a microcontroller!
except the bank leasing would be a deeper check then just looking at the dash. Even if at turn in the dash looks OK, once they really check you'll be on the hook.
I’ve designed Soooooooo many PCBs with STM32 chips. That guy has a dual CAN controller so the firmware is just intercepts the traffic and sends it back out with the data overwritten. Very clever!
typically all the signals are sent from the ecu to the dashboard, because the the dashboard is a display, and the ecu can light up certain lights. on ones that have a display, they can have a second board to handle running it that talks to the ecu
is it well made? well it works but your mileage may vary
Well played sir!
instantrimshot.com/audio/rimshot.mp3
www.sadtrombone.com ;)
You win
Very punny. 😆😂🤷♂️
Your description was very close to how it works, Many cars store the mileage in more than one location, this particular module is setup for a mercedes to stop the dashboard getting an updated mileage from another ecu in the vehicle, not necessarily the engine ecu, it could be from the ABS, LCM or even SAM modules(other places store it too but these are the main ones). Many modules have access to the vehicles mileage so that when a fault occurs they can log the fault code, time, date, mileage, etc in the fault log.
The car this was removed from probably had the mileage "corrected/cheated" to a lower value before it was sold and this module was to stop the dashboard getting the updated mileage when the key was switched on, the module filters out the data containing the mileage from other ecu's but it cannot correct the data to show 40,000 km less, that had to be reprogrammed into the dashboard itself.
A genuine use for these is if you have some modules damaged by water/voltage surge/take your pick and need to replace them with 2nd hand units, if they came from a vehicle with higher mileage than the one your repairing then you would use a module like this to stop the dashboard loading the higher mileage into its memory, the dash will automatically increase the mileage value but wont lower it if you change the module back(BMW cars do this also).
Using the vehicles reg to do an online MOT check will usually show issues if the mileage has been tampered with.
We work on vehicle electrics here daily and have many problems with canbus systems, mainly due to condensation on the connectors & pcb's, it takes very little damp to bridge the can data wires to power wires and raise the canbus voltage above operating limits, but as the can network covers the whole vehicle it can take a long time to trace where the fault is, eg. landrover immobiliser & engine communications faults are regularly caused at the rear of the vehicle in the electric parking brake pcb, Mercedes canbus problems often are with damp underneath the drivers feet mat or in the boot beside the spare wheel. Its very interesting work but it causes some headaches and makes a weekly pub visit almost essential.
P.S. Removing this module most likely didn't do anything to fix the cars warning lights unless the module itself was faulty.
Was going to say something very similar, so thank you for saving me the time! Very well written!
Thanks for that, Im glad it made sense :-) its interesting that those of us with similar interests all end up watching Big Clive taking the same stuff apart
I did a search of the numbers on the back of the pcb and got this:
www.cardiag.com/product/can-filter/
Sounds like your theory may be correct.
Error codes...😂
Very interesting. I'm glad I found this comment, thank you.
"The more they over think the plumbing, the easier it is to stop up the drain." Montgomery Scott.
Not to mention being sent to prison. They do not eff around with this stuff. You will get sent to prison for using this if you get caught.
@@tarstarkusz Depending on country. In Australia I think they'll just giggle like they understand the joke.
Aye.
I wonder if an increase mileage version exists for those who claim mileage against their tax.
That's an interesting thought but wouldn't more miles be more better for claiming tax back? 🤔
The chip can probably be reprogrammed
Mileage can be increased by a lot of bidirectional scan tools. That is far easier than trying to decrease it. Most legit tools can't
@@Robeight I recently claimed cents/km and don't recall providing postcodes
@@Firecul - But one might desire to have their cake, and eat it too, by claiming higher miles to the taxman, then when the car is sold on, lower the miles back to the true number, or even lower as this device did.
Very interesting. I install remote starters in vehicles and these types of circuits that peel out a signal or useful control for the vehicle are referred to as 't-harnesses'. When I use a t-harness its typically to give me the information I need in order to control the car and running it down to a plug that interfaces with my remote start brain. This is the first Ive seen of something like this, very interesting, thanks for sharing.
Edit: also on the pcb itself,
S4 would be for an audi
W22 and w166 are mercedez bens chassis codes
If it was a mechanical odometer it may change the value for the stepper motor without affecting the speedometer if that possible. If it’s electronic, I believe the odometer display is stored in the ECM.
by Mercedes the odo is stored in the engine ecu the gearbox if it's automatic the body and tacho
@@Punky-Boy I wouldn't be surprised if all CAN bus comms inside high-end cars will be encrypted soon. Just like John Deere, it will require proprietary software to pair and authorize replacement parts.
@@misterprimeminister473 wel you have to learn new parts to the car and ecu's aren't switchable if you doesn't get an empty one
@@misterprimeminister473 I mean, bad guys will always do bad guy stuff. You could fudge the sensor on the trans, wheel speed sensors, or... ya know... put bigger diameter tires on a vehicle - garbage in; garbage out. In the US, the insurance companies track and sell this data. They typically audit the sensor collected data against GPS data.
The "W" numbers are the Mercedes model numbers.
and s4 is a audi
Yeah, more accurately the body model designations. There's good chance that each option fits far more car models than the ones printed on the PCB. They're all VAG after all.
@@PenZon Um, no they're not? Mercedes and BMW aren't part of VAG.
Yes they are! 222 chassis is the Flagship model S class, The 166 chassis covers the middle to full size suvs what used to be the ML-GL class now I think they are GL and GLC.
@@PenZon Ah, yes, I knew this wasn't the complete truth I told and that the numbers are somehow related to the chassis/body or something like that, but I didn't know how exactly, so I left it with my little half-truth ^^; .
I think we need a part 2 where you see if the program can be read.
Clive, you really need to read this chip and see what the secret sauce is!
See my comment in main thread.
The dominant "0" implements an ID priority system. When 2 devices write at the same time, the smaller ID will override the other one. This is sensed by each device and when it recognizes a difference between sent and read data, it stops and lets the other one continue.
i thought it was whoever wrote the 0 wins. the 0 is dominant. whoever wrote the 1 but reads the 0 will know to yield. that way the device that won the right to transmit doesnt have to restart his transmission.
I fitted one of these kinds of devices some years back for a friend with an imported Subaru Legacy B4 Blitzen. In this case it wasn’t specifically an attempt reduce the mileage but circumvent the speed limiter which came in at around 112 mph. When fitted it converted the speedo so that the km/h section of the dial then became the mph reading.
mine is chipped as well one that disables the active fuel management (gm's AFM does not even save gas it will just transfer the costs into expensive repairs so you end up saving nothing at all)
Those kind of devices worked differently in most cases. In older Toyota's at least, this was implemented by the vehicle speed sensor, which was a mechanical device that created a variable clock square wave pulse interpreted by the ECU. This was also sent to the cluster to drive the odometer by routing the same wire from the sensor back to the ECU. The odometer had no smarts, it just used to drive a small motor, where the square wave ended up being interpreted as variable voltage based on speed. The speed cut bypass was achieved by sending a square wave pulse back to the ECU at just below the frequency for the max speed. The dumb ones just cut the wire to the ECU, but that caused problems. The avast ones would look for a frequency above X and only modulate the signal down when the VSS was sending a frequency above the limited speed. This signal was usually generated by an NE 555. Similar approach but no CANBUS
This is what it says on the back - a CAN gateway. Messages received on one CAN interface will be blocked or re-transmitted on the other, and vice-versa. (Here odometer messages going in the direction of the instrument cluster will have their payload doctored to represent a lower value before being sent on.)
These sort of things are used legitimately by vehicle manufacturers, usually to filter what messages can be read from the diagnostics port and especially to filter what messages can be sent from the diagnostics port onto the vehicle bus - which could be very dangerous.
I really like this little board - whoever made it has done a neat job!
@J Jimenez You don't have to be a criminal to be interested in customizing your car's software. I read another comment of someone using a similar method to add a 'driver profile settings' functionality to their car, before it became more standard package. To quickly switch between settings of the mirrors, A/C, etc. for different drivers in the same car, basically.
I could also see some diagnostics functions for the enthusiast. If they are looking to learn a bit about this stuff.
Could prevent some trips to the mechanic's, in the right hands.
Ofc people also use this to rip you off, but that's not gonna change anytime soon, now is it? Learning about that stuff does change things however. (allows you the opportunity to check for this stuff, for instance)
@@FroggyMosh exactly! I am annoyed that the panic button on my key fob sets off the horn, but does not shut down the engine.... I remember back in the late 70s when car alarms were rare and expensive we saw someone stealing a car in a restaurant parking lot, horn was going off for 20 minutes.... 80 some people standing around watching, no one called the police... now that you hear one going off every 5 minutes or so, effectiveness of a horn alarm is zero unless you (the owner) are within hearing distance.
I want to have the horn (when oscillating in alarm mode) trip a circuit that will disable the car so it's not moving unless it's towed... also effective for car jacking...
@@rosebarnes9625 Any decent alarm system will have an immobilizer. Though with modern keys having chips in them. Cars are basically impossible to hotwire. The car will just refuse to start without the correct cryptographic key.
@@2009dudeman you missed my point.... the panic button on my key fob sounds the horn..... that's it.... If I get car jacked, I want the panic button to shut off the engine, not sound the horn while he drives away....
@@rosebarnes9625 If you get car jacked, and for some reason you kept the remote but not the key. Shutting off the car when they are 20 feet away is going to cause them to get out of the car, pissed off and come back 20 feet to beat the crap out of you. Or just crash the car into something like they do with baitcars when those get shut down while they are driving.
You're better off just putting lojack or something on it and having the police follow them to where they are parking it.
I used to have a very similar device about 12 years back, they can be used for many things, not just illegal ones.
Have you seen the feature on cars to program in two sets of seat/mirror/etc settings for two drivers?
Before that was standard, I made my own with a device like this. It intercepted dash controls to watch for a trigger.
If I had the accessory on but engine off, pulled forward on the high beam lever twice, I could then hit turn signal up or down, each being a different seat, mirror, ac/heat, etc profile to change to.
I suspect that's why the build quality is so high. Whomever programmed it for its illegal function probably just sourced the hardware elsewhere, programmed it for this task, and resold it labeled for this purpose.
Unfortunately, these are sold on Aliexpress and on other websites as "odometer correction" devices, so I doubt they're being used for a legitimate purpose.
Interesting that you bring up memory seats - Wasn't that a common option on many cars before OBD-II was even standardized? I'm pretty sure you could get Buicks, Oldsmobiles, and Cadillacs with that feature as early as 1982.
You could certainly get those features, but here (US) they were never "base package" options, they always cost more and/or were on the higher end models. Plus I am very frugal when it comes to cars.
But a cheap $20 OBD-II micro and the chance to learn how the bus works in general and I was beyond happy. Not to mention the fact I was the only cars driver and didn't even need seat profiles :P It was more about learning to hack on it for me
@@lorddissy I mean, I'm here in the US, and Buick, Oldsmobile, and Cadillac are all General Motors, which is a US brand...
Indeed, the fact that you could re-program it suggests it has legal uses as well. Just this particular one isn't so legitimate. A multi-purpose device that in this case was on the naughty side
If they're sold on AliExpress, would it come with a programmer? How would the purchaser set the number of miles to be subtracted?
Here in the states when I was a young child, my father worked as an auto mechanic and I remember him bringing home the “analog” ancestor of such a device he found installed in-line with a cars Speedometer drive cable. About the size of a D cell with a couple on each end. It contained a set of planetary gears that would down-covert the cars speed measurement from “Miles per Hour” to Kilometers per Hour." So if you were going 60 MPH for one hour the Speedometer would only indicate a little over 35 MPH, and likewise, the Odometer would only increment 35 miles, not the 60 miles traveled! What is more by that time most American vehicles had speedometer's that indicated both MPH and kM/h so the driver could just use the kM/h scale to accurately know their true speed in MPH.
Probably from km/h to Miles/h (eg from 100km to 62miles) 🤓
Michæl Alan Baker My fathers 1976 GMC pickup had one of these devices as well, except it was marketed for use to change the indicated speed as he used larger tires than what came on the truck. It was used to correct the speedometer, not cheat it.
Conservator About how many miles is 60 km?
@@SudaNIm103 about 40
@@SudaNIm103 40
With Clive's accent I kept hearing him say "Cannabis" and for a minute my brain kept getting confused...
Some might say that's a CAN-A-BUS effect.
Yes very confusing
It was smoking, wasn't it. Or was it what I ate.
That really restores my faith in buying second hand cars!
as a professional mechanic & electrical enthusiast this was very interesting. a good example of why I subscribed; all the random electronics you find and show.
I've been wondering how long it would take for a device like this to surface.
@@Jimmeh_B one time I made a circuit that disabled all the abs & wheel speed sensors so that the car could go above the factory limiter @ 115mph. it had the side effect of stopping the odometer & speedo from working. but it was on my car & I checked the odometer discrepancy thing on the title just to be safe.
the circuit was just N.C. relays at every sensor, all powered from a switch under the dash. when on they all interrupted each sensor. the car couldn't tell how fast it was going so it didn't know when to limit speed. just used a gps speedometer app and away you go.
@@jankcitycustoms I like it, simple and effective. :)
The first thing I do on any car with ABS is pull the ABS fuse. Not a fan of ABS.
@@Jimmeh_B haha that's funny, I am the same way.
my girlfriend's car has traction control you can't shut off. so I always pull the ABS fuse when I drive because it disables all of that shit by the one fuse.
edit* especially during winter. once you practice it's fun to keep the wheel truned and pulse brakes to alternate between sliding straight & turning
@ADEBISI ADEBISI lol. na, handjobs are near the bottom; I'll see ya down there later. this is the bullshitin' story time thread.
The dominant state in CAN bus is a 0, so the lower node or message ID gets higher priority, so message or node 0 has the biggest priority and will 'win' any collision if two nodes start transmitting at the same time.
Technically the dominant state could be a 1, but the the highest priority ID would depend on implemented specification (CAN 2.0A vs CAN 2.0B).
On such comments and knowing nothing, am I right in thinking there's a bus clock ?
Please Miss, what does 'CAN' stand for ?
@@millomweb Car Area Network
If you want an easier way if understanding the CANBUS this video is ideal: th-cam.com/video/PL0TPdrhMuI/w-d-xo.html
@@millomweb There's no bus clock line - the bus is asynchronous, it means that every node generates it's own clock, roughly equal to bit rate, and during communication any node receiving a frame synchronizes it's own clock to the clock derived from the transitions in the frame. There's also bit stuffing mechanism to ensure transitions are separated by max. 5 same bits. More pretty good info you can read on Wiki.
The W166 refers to the 3rd generation of Mercedes M-class, W222 are the short wheel based saloons in the s-class. S-4 might be for the Audi S-4
well, the new Toyota supra and the BMW Z4 is basically the same car ;)
That explains why the E-class was throwing codes -- if this was designed for an M-class and they installed it on an E-class, it's probably hosering some of the data.
Pity there isn't an "AS" - for auto select - surely you can tell what 'car' it is by asking the ECU ? (No, number of wheels, body shape etc. irrelevant - what car in terms of electronic control !
@@eformance such that when the A/C reached its set point, the dash reported low engine oil.
A typical multi-application board.
In South Africa we call that giving the car a haircut
I love the fact that you also call traffic lights "robots". ;)
And I believe roundabouts are known as "turning circles" in a few Countries?
In spain we call that "To shave kms" :)
Hello all from the uk :).
Here in England we call it a puss cut.
@Eben van Ellewee this
@Andrew Hall Eben van Ellewee
Ahh, that sounds more like it. hehe
16:33 Maybe you can. Mercedes writes any changes on the can-bus to a log every 10 miles. I remember it because one victim of airbag/radio theft decided to drive his car to a shop and practically strip the interior before reporting it. The shop then saw that the seats, radio, dash etc etc were disconnected after the car had been driven and pieced one and eleven together: insurance fraud.
That's fascinating that the mileage suddenly changed when it was removed. That means the ECU is accumulating the mileage and storing it locally in a non-volatile flash or eeprom to make the vehicles mileage inaccessible to most modifications. Reminds me of the "black box" functionality I found while reverse engineering some GM OBD-II ECU software. The ECU keeps a rolling buffer of vehicle telemetry data (speed, braking, engine parameters, pitch/roll/yaw data if available, etc.). In the event you crash the car, the entire buffer is dumped to the flash memory to tattle on you and investigators can then tell exactly what you were doing in the moments leading up to the crash.
Not sure if you’ll see this, but here comes a few Q’s...
1. Any clue on how a device like this would interact w/ an analog odometer *when removed* ?? Would the rollers spin away until the true ECU recorded miles were displayed?
2. Is there an available database that lists all vehicles that are outfitted w/ this big brother black box? I have a 2015 Wrangler JK - electronic amenities aren’t exactly the focus - So I feel if there ARE some more modern vehicles that do not have a BBox, it would be one like mine. On the flip side, if mine DOES have a bBox, then it’s safe to assume ALL vehs do.. which is very annoying.
3. Have you figured out any more cool tricks since this 2 Yr Old comment???
@@flojotube Depends on how the odometer is driven. If it’s cable driven then they spin away regardless. Analog gauges with a digital odometer will potentially be effected depending on how it is stored by the vehicle. Not all ECUs have the BB feature. I have a 99 PCM from a GM/Isuzu gas truck in my 88 Camaro with a PFI conversion that does not have it. But I have another from a Firebird on the shelf that does have that option to record data to the internal flash of the airbag deploys. It can be disabled, at least in the GM ECUs I was working with. I can’t vouch for the Wrangler. It may be there, and a search on the ‘net might help. Keep in mind it’s not comprehensive like one for a passenger plane. It simply records things like speed, vehicle status, if the brakes are applied or not, etc. In a standard crash it’s not much of a liability, but years ago someone did get burned by it when they were speeding in a corvette and crashed. As long as you don’t plan on speeding it’s not an issue. A bigger concern is if the vehicle has connectivity (i.e. OnStar for GMs). Those seem to be VERY intrusive. I think I have even had them do stealth reflashes in the middle of the night. Get in and the car will have different features enabled like suddenly having auto start when the key is turned. I have heard the HVAC actuators some on randomly when I had my window open while sleeping. This is indicative that the vehicles ECU/BCU are active for one reason or another. I would consider removing the cell antenna and associated electronics if you can and have such concerns. But that is not an easy task since it’s tied into the CAN bus and other controllers interface with it.
@@flojotube All 2012 and new vehicles in the US have black boxes, I know because I had a 2011 and it was 1 out of the 5 models that sold in the US that year that didn't have one.
Those prints just continue to impress me every time.
years ago I had a boss who had me and another co-worker install a switch into his leased car.
The switch replaced a fuse that powered the dashboard and the odometer.
What he would do is get out on the highway, engage the cruise control and then disable the dash and odometer, presumably saving money on his lease.
Great guy.
@Dave Micolichek Correct. One of the cars i have stopped counting on the dash at 299999KM, but i have the option to take it in and get it flashed to the right mileage because its still stored.
@@JackReacheround Toyota? The older Corollas and Prius have a glitch in the odometer that make them stop counting at 299,999. It doesn't matter if it is in miles or kilometers.
No odometer no cruise control.
@@nukelauncher95 Pontiac vibe, The cousin car to the Matrix
they're actually used after changing the mileage in the cluster via an eeprom dump, it blocks CAN signals to stop the dash synchronizing with the EZS module and putting the mileage back to what it was before (info is stored in both and it will "correct" itself to whichever number is higher)
"I had to do a lot of test driving to find the issue, if you don't believe me, check the odometer."
This is a classic "Man-in-the-middle Attack"
I initially thought 'evil maid' type mitm. But in this case it's definitely friendly criminal maid mitm.
AKA a splice.
Really old school stuff. I’d have thought there’d be some sort of authentication layer based on SN or something in the operating software by now.
@@boonedockjourneyman7979 Yes, I was wondering why there doesn't seem to be any efford to make that kind of attack more difficult. This seems less safe than a physical lead seal.
@@TheYear2525 CAN allows you to send eight bytes at a time. CANopen structures this a bit, so now you have four bytes header and four bytes data. There really isn't that much space for any authentication. For authentication to be of any use, the signature would have to be added to the message itself, and I know of no crypto suite that would fit in those size constraints. And if you want the dash and the ECU to exchange magic packets, then this device can just forward those.
CAN is made for low-bandwidth real-time communication. The various sensors need their guaranteed bandwidth to send the data.
Also threat models: No hacker gets into the CAN without physical tampering, so why waste resources on security? This particular attack only changes one part of the display. It does not, for example, disable the breaks. So no safety hazard. And only a safety hazard would motivate the manufacturers to do something about it. And that would likely be a seal of some kind, since that is still cheaper than changing the software of every single sensor, ECU, dashboard and radio on the CAN bus. Oh yes, these days the stereo is on the CAN bus, to see when you use the steering wheel buttons.
Maybe a criminal hazard (fraud), if the buyer ever finds out.
I remember a case where a used car dealer was brought up on charges for "rolling back" a speedometer..(that is how the law was written)..in the days when cars used mechanical speedometers. At the trial, they had him cold with all their evidence. But he threw them for a loop. He rolled the speedometer "forward" until it 99,999 miles and then it all went to 000,000 and then he went a bit further and shaved off 40k. He walked and they had to reword the law.
I have never seen a law that is that poorly written ;D
In Germany there is no specific law for it, but it is "computer fraud", which basically means manipulating data in a computer to gain financial benefits. We do not care if you go back, go forward, or in which order you do it ;D
The keyword for this on aliexpress is "can filter universal odometer adjust", only 12$ or something....
Thanks, I've narrowed that down further to "can filter 18 in 1" and they seem very common. I've added a search link in the description.
@@bigclivedotcom "BMW Mileage Correction" should help too. They don't reverse mileage on BMW's but they prevent it going up
@@bigclivedotcom I've found this, which seems extremely similar. www.truckdiag.com/shop/can-gateway-can-filter/
Quite a few other interesting devices on that site :)
Think this is the oem... www.yanhuaacdp.com/
Tempted to buy a couple to try and read the MCU's firmware out. The test pads are likely to be SWD and power.
That a criminal offense and the corporation that did the crime should be prosecuted.
8:44 - "It's actually quite well designed." Probably so that it minimizes any technical issues it might cause. You wouldn't want this causing problems on the network thus causing a technician to find it.
Except that he did find it .... due to numerous dashboard issues.
@@HappyQuailsLC Then I guess it wasn't designed well enough. ;)
HappyQuails well I’d say given how the device works, it worked pretty well for a considerable time of it managed to shave 25,000 off the mileage.
Either it failed and caused an issue with the CAN or it was just found by chance when then mechanic was investigating the other issues.
i am thinking it is a "generic" piece of kit "repurposed" for this usage and NOT MADE FOR THIS USAGE
jason riddell considering there are pads to select 4 different vehicle programs I’d say it’s being used for exactly what it was designed for.
This generation was in need of replacement due to power drain issues.
These are somewhat common in Central Europe (basically every car has had the miles clocked). Although the drawback I’ve heard from a few people is that the dash (even on a modern car with a fully digital dash) will display the speed wrong, presumably lower than reality so the dash doesn’t think you’ve travelled so far.
Hmmmm, I think I see how it works (7:00) but Merc have got wise to the 'mileage correction' game for a while now, the mileage is stored in 3/4 different places, the ECM (engine ecu), EIS (electronic ignition/key (yes the mileage is stored in the key)) and the IC (instrument cluster). If the mileage is significantly higher in any of these 3/4 places the rest of the modules will adopt the higher mileage. This has happened to a customer of a garage I used to work for where they used one of their spare keys and the mileage jumped up by 50,000 miles
How is that even possible it would mean the Old key would have had to travel 50000 miles in a another vehicle. My brother is a locksmith and we retrieve the data off of a key to find there is no mileage being stored on the key what we did find was a counter that was counting down the amount of times you could use the key before it would deactivate itself.
@@obviouslytwo4u The mileage had been 'corrected' and the previous owner had probably not supplied the spare key when the mileage had been changed. The car wasn't in the best of condition either with lots of stone chips and corrosion here and there so the actual mileage may have been even higher than the additional 50k as the key stored the mileage it was last used at
@@obviouslytwo4u amount of times a key can be used on a car? That sounds like a pain in the ass waiting to happen. Actually that would give me anxiety and I'd try to get rid of that. Unless you're not talking about a car key.
This isn't reprogramming the mileage value with a lower value, this is reducing the amount that is added. Therefore mileage data would be consistent in all storage devices. You couldn't use this to give a car a "haircut" (as the trade call a car with the odometer wound back), you stop the hair from growing as quickly.
@@renyn21 He's talking about manufacturers programming keys to self disable after X number of starts, to force you to buy a new $300 Smart key from the manufacturer. (after the warranty expires, of course.)
We have really taken electronics in cars well beyond what is needed for the purpose of transportation. Welcome to the matrix.
A 👍and a subscription for that "If your getting illegal electronics, you ot to make sure that they are made to a good standards" lol too funny 🤣🤣🤣
Best comment I have heard so far this year
Also to make sure you know what to look for if you looking for a new used car
"you ot to" ?? Seriously? *facepalm*
Yes, I enjoyed that sardonic comment too.
@@AureliusR ... and in the same sentence, "If your getting ..." - that's the second face-palm in one sentence.
Memories of Danny DeVito in 'Matilda'...though he took a little different of an approach :P
Cheers for sending this, Dave. Very interesting!
Makes me wonder though, is my State the only one which requires an odemeter reading be written on the title when the vehicle changes hands? I am aware that these are actually entered into the State DMV computer, the computer kicks them back if the difference does not make sense, for example if the car went back 30 thousand miles from the last sale, the title would be frozen till the State Highway Patrol did a basic investigation. (I was a cop for 24 years,)
For sale: E36 BMW, runs great, cold AC, good tires, lots of extras.
LOW MILEAGE!
$10k. No lowballers, I kno wut I have!
Sold for $10k, though as you didn't specify which country, it's $10k Zimbabwean, which comes to less than 1 cent US. xD
Ahh yes, it's the "Ferris Bueller" mileage fluffing unit.
nah you just gotta run it in reverse :P
@@sawspitfire422 that didn't work nearly as well on the Ferrari in the movie as it did on my dad's Honda..... 😁
So thats why im watching this then.... I just watched that and was listenting to Danke Schoen a little while ago lol
@@BitKing_Ross I recall ... Central Park in fall ... 🎵
I'm commenting 19 months after this was posting so it may have already been posted - but the Mercedes W166 chassis is the GLE class SUV, and the W222 is the S Class from 2013-2020. So they got you covered, just jumper the coded pads on the bottom right. S4 is likely Audi and the BMWs might all be the same.
Its similar to a device that Taxi drivers use to display the journey to charge their customers.
In reverse you mean?
Videos from two of my favorite creators (Great Scott is the other) making content on CANBus?! YAY!
@@YourMotherSucksCocksInHell feel that way too sometimes
CANbus in vehicles (Beyond the engine and transmission) started with the power windows. Vehicle manufacturers had reached a point around 2000 in shaving weight where all the low hanging fruit was gone. They were shaving weight because of the MPG requirements of the EPA and other regulatory agencies around the world. At some point, I believe it was Chrysler... an engineer said in a meeting, what about the power window system? At the time a power window system had wires looping from door switch to door switch all over the vehicle, wired basically like 3 way switches in a house. This system had well over 200 pounds of wiring, JUST to control the windows!!! Easch door had a thick bundle of wires going into it just to control raising and lowering the windows, since all doors were connected through the main panel on the driver's door. This engineer realized he could reduce the wiring in each door to 12 volt power and ground, and two thin communication CAN wires looping around to each component of the window system within the door - a total of 4 wires passing into the door.... So instead of 12 volts in a heavy wire going from the drivers door to the passenger motor to drive it. The drivers door switch module puts commands on the CANbus to tell the passenger door to roll down. (on some vehicles the modules talk directly, on others it must go through the ECM). Thus, vehicle wide CAN control was quickly adopted throughout the vehicle, on some vehicles to include things as basic as brake lights and turn signals.... All, in the interest of losing weight in the wiring harness for fuel economy as well cost savings reasons. By doing this, they reduced the over 2 miles of wire required in a late 1990's vehicle to less than half that by 2008.
But I digress... as for this little gem... No bit banging... with proper construction of the circuit and hardware to meet CANbus communication standards... Well done !!!! except for, wow that's LOW.....
CANbus has been around since the early 80s.
@@shmehfleh3115 yep, it was used on factory floors for many years. It is nothing but RS-422. The first diagnostic connectors were introduced around 1990 and were very basic (the ALDL... a basic serial connector with hardly any data)
J1850 was introduced in 1995 1/2 on both GM amd Ford, with dodge continuing to use its old serial bus but with a J1850 style connector ... till roughly 1997-1998. (Confusin as heck huh) the J1850 was fine for engine control but only ran at 9600 baud so it's use was limited to very basic functions. Later, the J2284 with 112k baud came out by demand of the manufacturers so they could expand the bus as I described and connect more devices without bogging it down.
The old way of fudging miles was to disable the cluster, you would loose all output information on the IC. guys would install a external programmer into the DLC and use that as there cluster. things have changed now due to the fact that most ICs contain the vehicle security module. very smart little gadget if you ignore its intended use. I actually have a module that us used to provide feed back information for the new electronic power steering systems. if your interested in taking a look at it let me know, i can also get you all the relevant OEM wiring diagrams CHEERS!!
The old old way was to take the dash out and use a screwdriver or such to roll the numbers back, or all the way around, without scratching them up or making them horribly misaligned.
Usually the dash is part of the immobiliser System, also in most New cars, the mileage is ttansmitted from the abs Controller and stored there.
@@st_us Only in older VAG cars the IMMO is in the cluster. Nobody else does this stupid design.
or buy one from the wreckers with lower mileage and swap it over
It makes totally sense. The jumper in the lower right say "W222" (Mercedes S-Class) and "W166" (Mercedes M-Class). It makes sense to manipulate the mileage of these models, as they are the biggest factors for resale. That moves (with us) in the area of a clear imprisonment because of "heavy fraud".
Its so nice to see they went to the effort to color code it for us
I'm guessing the circuit board was developed as a generic device that could be programmed for whatever use the owner needed and was then used by someone nefarious to defraud car purchasers.
No I think they're purpose designed for this - someone above has linked sites selling them in bulk. There are even expensive devices that reflash the ECU and dashboard with new mileages etc.
the bottom right side of the board (looking at his big photos) has solder joins labelled for different versions of the protocol, i would guess that this is purpose built for "being naughty" as clive calls it
although, you could repurpose it as something else that used 2 separate can busses and only 4 other IO (the 4 protocol choices are just gpio, could be configured as input or output) stm32 microcontrollers are really nice/easy to work with (although the can bus speeds are a bitch to get at first)
It's called a CAN filter. You can find them on DHgate and Aliexpress.
www.dhgate.com/product/yanhua-mb-can-filter-18-in-1-benz-bmw-universal/422061032.html#s1-7-1;searl|1741375639
@@ebthepcguy I don't see a mileage set in the description. I'm curious if you program it or is it set from the factory?
the CAN bus has 0 being active due to how the CAN bus handles Arbitration; i.e. what happens when two devices go to talk at once.
Each CAN message has a priority code which works as follows;
lets say we have three nodes that want to transmit at practically the same time, one of 3 (0011) one of 1 (0001) and one of 5 (0101)
rather than messing with baud rates lets just say call each step a Tick;
first tick;
All send the first bit, this is 0 for all of them
So they all go high, and the bus is high
They all check the bus value and all see it is high
So they all transmit the next bit, this is 0 for all but the last one for which it is 1
so the first two go high, and the last one goes low
as such the bus goes low!
they all check the bus value and the last one sees the bus is not the right level and goes into receive mode
finally the first two transmit again
the bus goes low
and the first one drops out to going into receive
the remaining node transmits it's remaining bit, sees no conflict (which as its the last bit would otherwise produce an error) and transmits its data onto the bus
What a clever system
It's that way around so that device zero is the highest priority..
If 1 was the active state then device 255 would have to be the highest priority..
Kind of a brilliant system
Good point!
It's a node broadcast on the CAN if they adhere to standard protocols, a dominant controller will be allowed a specific number of Ms per second to broadcast it's information, some are 1Hz some are 5 or 10Hz depending on the data priority. A dominant controller can pull voltage to 12V on some systems to tell others controllers a fault has occured, some use 5V on CAN HI for this signalling. It can be 100 meters long with hundreds of nodes on the same bus. 2 120Ohm resistors, usually "active" termination are installed along the way.
There are mileage corrector adverts locally, they plug something in your car and reprogram the mileage, so no need for that gadget
The adjustable slew is used to "relax" the leading and trailing edges of the CAN signal. It cuts down on unnecessary noise. Anyone who has ever lived through DeviceNet knows what happens when the slew is set for "Flat out". :)
Do you mean it slows the rise/fall times of the signal to eliminate the high frequency overtones of the signal as it changes? Just curious
@@SteveJones172pilot Yes it does, and it certainly helps in that regard. And DeviceNet is an abuse of the CAN spec in the first place, so it needs all of the help that it can get.
FWIW, my Railstar Io CAN boards have their slew rates "hard-coded" into the board by way of resistors (RC time constant). www.dcctrain.com/shop/item.aspx?itemid=6273
Can it make me look ten years younger?
@Dave Micolichek Doesn't work without the 9v battery to the tongue.
Only if you're Johnny-5.
The Circuit is good, but not a miracle device.
No, but it might make your pecker hard if you shove up your arse and apply mains voltage.😉😯😄
That's a different mushroom. Go ask Alice. 🍄 🤶👀
Back in the day, ‘clocking’ was rampant amongst the back street car traders...the Arfur Daley’s. The U.K. introduced a mileage statement on each MOT. so I’m not sure if it can still be fiddled or not?
Some vehicles will store the mileage in both the cluster and ecu, and in some cases other modules. ABS units will provide speed data and this is usually passed on to ECU, Instrument cluster and any other modules that need it via CAN.
"If you're getting illegal electronics you want to make sure they're made to good standards" 😂😂 Brilliant Clive. Interestingly, I had a BMW Motorcyle and due to their particular take on CANBUS you couldn't just plug your battery maintainer (e.g Optimate) straight into the 12v accessory output socket as it goes dead a few seconds after the ignition is turned off. So you actually need a special (expensive) version of battery maintainer. What I did instead is to unplug the wiring from the back of the pillion seat accessory socket, insulate and tie these back carefully (for easy reversal of my mod). Then I simply connected the battery (with a suitable in-line fuse) directly to the accessory socket terminals. Voilà! A simple way to use my standard Optimate device with this particular bike 👍
What printer do you use to print out your stunning PCB photos?
Epson eco tank.
Pretty much any modern printer will print photos of that high quality. The source matters more. So if you use a high quality camera to take high quality photos, you can print them out in high quality in most printers.
@@bigclivedotcom I would be interested to know which model of Epson EcoTank you went for. I am about to take the plunge myself after much debate......
@@xenonram I work in said industry - the paper stock makes a huge difference also - Clive must be using good Inkjet Coated Paper.
@@cameradoctor205 He certainly is, when he picks the photo up it barely sags, it's almost card weight and super gloss.
Wow I'm not even a driver and I learned so much from this video.
I have very basic knowledge about circuits and the explanations here filled in so many little questions I had.
Thanks for that.
"Keep in mind that their function is to reduce the apparent mileage of a vehicle, and this may be a criminal offence in some countries."
It definately is in the Isle of Man, and in fact the UK :-)
It's not an offence until you sell the vehicle with an illegitimate mileage to a buyer without telling them the mileage has been lowered. It seems here that the device has been used in illegitimate circumstances
@@stevieg_306 you are suggesting that it is just for thick people that want to cheat themselves legally?? HA HA!!
@@fredflintstone1 nice name! Kinda weird to run into you here!
Best solved with a street sweeper.
@@stevieg_306 But it's not an offence to sell a car with 50k on it if the car had an engine replaced without the buyers knowledge. It happened to me and trading standards told me 'tough luck m8'.
Somebody may have already said this, but the four pads on the bottom of the board (and that are present in many devices that use microcontrollers, generally directly adjacent to the mocrocontroller itself and traceable to either a serial interface or serial programming pins. They are intended for programming the chip during manufacture. The chips are almost always soldered to the board directly from a tape reel or whatever, and programmed after they are installed with a clip or a jig specific for the purpose. If it's four pins that look like this board It is almost certainly RS232, and if the chip isn't an OTP model (or a model with a one-time program option for which the fuse has been tripped by the manufacturer) you should be able to connect to it with a device as simple as a RS232-USB converter. It's easiest to just remove the DB9 connector and solder a couple of wires to the 4 serial IO lands on the board, then of course attach them to the corresponding pins on the target board. Depending on the software the microcontroller is running and/or the configuration of the internal flash rom (and how the physical pins on the board are hooked up) one can almost always get by using the program flashrom in linux (available in nearly every distribution's repository), or in more usual commercial products (wireless routers being an example about which there is much information and a great many guides/tutorials online) which were built with diagnostics/rebuild-ability/refurbishment in mind there is often even a telnet server running on the microcontroller that can be accessed how one might expect.
14:27 "i wonder who made it"!?
All I could think of was... "well if u took it to the coppers to get fingerprints off it before u cut it open & touched it a hundred times, maybe you'd been able to find out?!? LoL LoL LoL
I can't help but think, this channel is like Scott Manley's secret electrical engineer brother...
Thank you! As I'm watching I'm like someone has to have mentioned it... Because the entire time I'm watching I'm waiting to hear "Hi I'm Scott Maaaaanley"
If you want an interesting look into figuring out the special sauce for programming an ECU over CAN, look up Just4Trionic. Used it extensively while tuning my 1997 SAAB 900, to avoid having to take the ECU out every time I needed to program it (using Motorola's proprietary "BDM" interface; kinda like JTAG for the embedded Motorola 68K's). Unfortunately the 1994-1998 900's didn't have the CAN lines brought out to the OBD port, so I had to make a custom adapter cable for SAAB's proprietary 'debug' plug hidden behind the glove box. Neat stuff, especially given how old the SAAB Trionic 5 ECU design is.
Ha, Trionic5 fan here too. Ive got two 9000 Aero's. Do you know Jules from the UKSaabs forum ?. Possibly the best T5 tuner in the UK.
As others have mentioned - it would be cool to get the hex dump of the ARM chip.
Not sure how similar the process is for the STM32 chips, but for basic Arduino family of chips it's not too hard - as long as the fuses haven't been burned to prevent it. Put the dump.on paste bin and see what we can discover as a community. Perhaps it's really simple or mega complex ..??
its programmed through the steering wheel media buttons
th-cam.com/video/wrUP9y0P0S0/w-d-xo.html&feature=emb_logo
Looks fairly well made,
The messages are sent periodically, this is intercepting the odometer message and modifying the reading, the other messages will be relayed.
The jumpers in the bottom right are to change the vehicle it's configured for
W222 and W166 are Mercedes chassis generation numbers and there is BMW support.
The CAN chips are Transceivers, the controllers are in the MCU itself. They'll have used Microchip as they are the cheapest in low volume.
A CAN gateway is a device that bridges 2 CAN bus networks, bit like a router in Ethernet.
The bus termination resistor is also to stop the signal wave bouncing off the end of the transmission line and echoing back and forth. Like a rope tied to a fixed point and pulled a bit tight, twitch one end of the rope and watch a wave travel -- then bounce off the tie point and return. The resistor absorbs the signal instead.
Slope control allows reduction of EMI and power supply peak draw in CAN bus networks with lower data rates (slower edges = doesn't transmit as much, takes less current to slew the bus voltage) and high speed operation for e.g. 1MBPS networks.
how time flies, years ago you would just spin the speedo drive cable backwards with a drill to remove miles.
Those were the days!
Til some genius invented... the ratchet!
Actually it's surprising the counters would work going downward. The mechanism to increment the next digit, every time it goes from 9 to 0, surely wouldn't work in the opposite direction. It's possible to build a counter that can go in either direction, but you wouldn't, for a mile counter.
Even before they put ratchets in (the trusting souls!), I bet it only worked on some cars. The rest you'd just have to disassemble, or maybe swap out with a counter from a scrapped car or something. I dunno, "Dishonest Car-Dealing Bastards Of Days Gone By" would be an interesting book to read.
Then they ran it forward until the mechanical counter turns over, takes a little longer, but there's rubberbands to hold the drill trigger down.
Looks like a classic Man In The Middle ( MITM) hardware attack. Very slick.
i know on Lincoln's from the mid '90s the mileage was stored locally on the dash, i had a customer who pulled the dash fuse to keep the mileage low :/ and yes it worked
I bought a used car with a bunch of parts once, including a dash cluster... when I asked why the guy told me “It’s only got 50K on it, if YOU ever sell the car swap it in and make a few extra bucks” :-S
The 5 empty pins on the bottom of the board are for a micro USB connection. From left to right it is 5V, Data -, Data +, Mode Detect, and GND. That's how they programmed it. Likely it is programmed with Arduino but could also be Python. Judging by the CANBUS controller chips tell me it is Arduino. You can extract the code in binary and use a disassembler to convert the code.
The fact that they went to the trouble of making this a quality design speaks volumes about the greed of humans.
For us old timers that is a Berg header plugged into a wire wrap header. I wonder if That ARM 7 is hardwired to simply subtract 40,000 km or does it compute a proportional mileage reduction, say 75% of actual mileage.
Between seeing this and the GPS tracker gizmos found on used cars glad we buy ours new and use them until the wheels fall off.
Well...you could answer that question yourself...because what if the actual mileage is less than 40k?
@@mojoblues66 True but what is the point of putting this gizmo on a low mileage car? I assume it is installed by a car dealer so they can charge more.
Very interesting, I may have to check this out as my car lost 40k miles when I disconnected the battery. 63 plate audi. As you said in the video, very had to prove when it was done if this was installed.
D*** you're cute
I actually built a very similar circuit a few weeks ago. But in my case I did it to translate the data and that I could retrofit an instrument cluster from a newer car :-D
Sounds interesting, I would totally watch a video about it
I know there are videos of people using OLD BMW clusters wired up to PC's for racing games and having REAL gauges in your "car"
could you build me one id gladly pay davidv8522@gmail.com i would like to install a different cluster in my vehecle
The polarity of the dominant and recessive bits is selected this way so that logically lower IDs have higher priority on the bus. That is, the message with the lowest ID will determine the state of the bus in case of a collision between two or more messages. Any tranceiver transmitting a higher ID will detect that the bus state doesn't match what they are trying to send, and will yield. This provides a mechanism of arbitration, which always allows the message with highest priority to get through.
In over 40 years of buying cars I cannot recall ever paying much attention to the recorded mileage. But then most of my cars come from a period when body condition was much more important and the greasy bits could be fixed relatively easily.
Having said that, I did once go as far as replacing the luminous paint on the dials of a 1954 Pathfinder. On that model the instruments were lit via UV filters which gave a rather pleasing glow to them.
It seems like you should be able to hook up an OBD2 plug and read what the "true" odometer state is. (Assuming someone didn't go through A LOT of trouble to also intercept the signal going to the OBD2 plug.)
You cant
You are right about P1, its going to be a programming header they connect to with pogo pins. Pin: Gnd, Vcc or Rst, Boot0, SWD, SCLK. W222 and W166 are codes for various Mercedes models (S class M class).
STM32F103 is popular with Arduino, the F105 not so much. But no way to be sure unless you find the original Chinese engineer who wrote the software.
looks too well designed to be done by someone who would use Arduino, they even went through the trouble of having 5V just for the CAN transceivers. S4 could be an AUDI
BMW obviously seems to be BMW cars. S4 may be Audi S4.
@@fuzzy1dk I disagree, I use Arduino and I could design a board that looked that good, maybe better, the real skill is the firmware and we can't see that. I say good luck to the hacker's
but unless your target customer is the arduino crowd why bother with arduino, make much more sense to use an IDE and debugger that is less 1980s
@@andymouse Right. Arduino is really, at it's heart, just a boot loader.
There's also the standard pinouts for shields etc but the software will run even if you ignore and abuse that.
The rest is a nice set of libraries and a big HAL.
Not much in itself, it just needed someone to actually do it. The Italian fella did, fucked up a couple of pins, and consigned BASIC Stamp back to the cheap grave it kept trying to crawl out of.
Now it supports Arm. Wouldn't be surprised to see someone compile Linux on it. Using some god-awful bit banged VGA display.
I haven't even mentioned the Pi and it's siblings! Aren't things great nowadays! You could knock yourself up a half decent digital scope with a touchscreen LCD that fits in your pocket! For pocket money!
Hey Clive, you just needed a USB - FTDI and connect headers to the 4 solder points shown @ 9:10 and read in Arduino's console :)
These are made and sold by a company called Abrites, and as described on the back it is a CAN gateway that repeats a lower mileage to the cluster. They do have a genuine use case in the automotive aftermarket in reusing second hand parts, because manufacturers make it (rightfully) very difficult to rewrite mileage data in any control module these emulator/gateway modules are most commonly used to reuse a second hand instrument cluster which may have had a higher mileage than the car did rather than any nefarious purpose.
At GM Holdens there was a discussion about encrypting HSCAN data for sensitive information - we pushed for ALL data to be encrypted to obfuscate all sensitive communications. GM didn't want to spend the money.
GM knew that it helps devalue older vehicles and make people lean towards something new
Would love a in-depth, loooong video with scope, DMM, PC, datasheet orgy. =)
Please Clive!
I already saw devices to defeat the engine/airbag/break system control lights in older cars. They were simple enough, timed switching of some sort and a small relay so the lights went on with the ignition and cut the power to them after 3 to 5 seconds so it looked legit. Same with soldering resistors to the airbag wires so the car doesn't notice a missing airbag after the old one was removed due to an accident/faulty airbag. They then usually just glued the plastic cover of the dashboard/steering wheel back on. One of the tricks you could only identify by disassembling this stuff (or if you're lucky the horn didn't work or having a hollow sound where an airbag should be).
This just seems to be the modern iteration of those old scam methods. I wonder if they also get those things to stop modern cars from displaying errors in those little LCD panels in the dash. After seeing this video I guess they are able to figure this stuff out too.
I realise it's 2yrs later but... Back from the speedo gang connector Cut the wire feeding the check engine lamp then scotch lock it (tag on ) to the Battery /Gen lamp wire , wrap connector and tuck away from view inside the bundle . Fixed
One year further on and the MIL light still has a switched 12v signal from the ECU. The battery light has an ignition switched 12v feed from the battery and a negative that becomes positive once the alternator is outputting voltage. When there is a difference between battery voltage and alternator voltage the lamp lights. Doing what you suggest will just put the MIL light on permanently whenever the ignition is on and probably destroy the ECU when you back feed it with 12v on an output pin that is pulled to ground when the MIL light should be off. You would also create the potential for even more damage by connecting together 12v feeds that are both fed from different fuses/circuits. @@321CatboxWA
@@AndyMcGeever The check eng lamp is cut off out of circuit with the computer and hooked in parallel to the charge lamp , no back feed is possible . The check light comes on with the key and goes out with the charge lamp when started just like you would expect it too. It's simple and cant harm the computer . I've discovered it done to a chevy that ran great but had codes that never triggered the lamp .
@@321CatboxWA The ground on the MIL light is permanently grounded. The 12v feed to the alternator light is permanently positive when the ignition is on. If you connect the positive going to the MIL light to the positive going to the alternator light then the MIL light will stay on. The MIL light is grounded through the common ground in the instrument cluster, the alternator ground is a seperate conductor that feeds the alternator field coil and is no longer a ground path when the engine is running. If you connect the MIL light ground to the alternator light ground then you are shorting the alternator's field coil supply to ground. You would have to cut the trace on the instrument cluster to disconnect the MIL light's ground and then add a link to the alternator ground to do what you are suggesting.
@@AndyMcGeever The ck lamp hot wire was cut and tagged onto the charge lamp hot wire . Found it on a hunch , traced it , no back feed issues were observed and the charging system was working to spec. A potential dastardly way to disable a check light . I'm not advocating doing this . Results may very .
Scary to think how many of these might be concealed in used vehicles.
Mines so old it has a spinning cable running from the transmission to the instrument cluster. This attack wouldn't work (though there are other ways of faking mileage.)
Important then to check where this would be plugged in
I suspect they know the node address and data register(s) that contains the CAN data for the odometer on the different cars, the CPU is just acting as a gateway and filtering out the specific target register(s), the data for the odometer is then “massaged” to different values and the new altered values are sent out. The complex part is knowing where *all* the registers for the mileage data lie so you aren’t missing one. Somewhat analogous to old school software cracking.
this should absolutely be forwarded to Ben Heck! I have no idea what he could do but you know it's going to be epic!
Clive, do you upload all of the circuits you find (and enlarge) to github? I feel like it would be a very valuable repository. :3
I don't. But they're all here on TH-cam for future reference.
@@bigclivedotcom haha. Yeah, I won't ask for more than that. I'm extremely grateful for all of your efforts. I love learning about this stuff. Thank you
As clive said, the magic is in the micro program. Someone had to know the decode formats to do the programming.
@@rayraycthree5784 That's not what I was interested in. Dumping the roms of these chips is way too much work. I was simply interested in the awesome drawing's and circuit designs he outlines in these videos.
@@nathantron You cannot dump the ROM of this device because its read-protected. However the device itself can be reprogrammed, due to the fact of the real easy circuit. I have done some research recently and you can see my documentation here:
github.com/EliasKotlyar/Canfilter
It can be used as a legitimate dev-platform for retrofit installation, where you try to connect 2 components which are using different can-protocols. Also it can be used as a can-sniffer for seeing which commands are being transfered between a device and the car.
Mileage is always stored in those digital clocks, it’s an anti tamper thing
I wouldn't mind connecting it to a debugger and see if they protected the flash on it :D
evil Bunny yes they do
CANbus explained in a way that thick people understand..even though your " not very organised ' as you say.
thanks buddy. Learned a lot 😀
Squiggz 👍
Well you certainly can't argue against their quality of work - impressive.
I'd like one to reduce emissions when the GPS knows it's near a mot station
Talk to VW, they may have spares kicking around
You used to work for VW didn't you? How's the job search goin? 😆
Harley-Davison did it before VW: www.reuters.com/article/us-harley-davidson-emissions-idUSKBN1FL67P
@@thomas316 "Harley-Davidson did not admit liability, and said previously it disagreed with the government, arguing that the tuners were designed and sold to be used in “competition only.”
Yea, just like their "competition only" exhaust pipes that are used on the road....
...maybe the "competition" here is what Harley owner can be the biggest loudest asshole????
It's been done.
It didn't go Very Well.
Hah that QA sticker. They put it on top of the ARM chip surely as there's no doubt the ARM chip itself has passed QA ;) Can't say that's false.
I reckon that, in this context, it means "Questionable Application"
Please try to read it. I would love to see what the community can do to reverse engineer the firmware.if you are able to read it.
it wont do much more than intercepting and modifying the one parameter
You can rest assured that the real car geeks will already know plenty about every aspect of most vehicles communication protocols and how secure they are.
@@bigclivedotcom Secure - you jest surely It won't be secure (End to end AES256 encryption and authentication handshakes) until it becomes a legal requirement. Even then most manufacturers will fudge it and leave it with as many holes as a colander.
@@bigclivedotcom Can bus is very insecure, it was designed before there was an internet, and every car was "air gapped" to the rest of the world.
Here's where you can buy it... www.truckdiag.uk/shop/mileage-correction/can-gateway-can-filter-module/
Like others have said, the w222 is a Mercedes S class and w166 is an ML. What I didn’t see mentioned is Mercedes models share CAN architecture. Theses two models CAN architecture cover the whole range of Mercedes models. From my experience these blockers do not cause error codes and are usually found by accident. There’s other control modules that redundantly store the mileage and you’re able to check the mileage in those modules with a MB scan tool.
Not if you change them too
A friend of mine bought 2 trucks from a local used car lot. She took one of them in for service and the technician came out and explained to her that when they went to smog the truck they pulled the milage off of the ECM or PCM and it was 200,000 miles more that what was on the Odometer. The truck had 400,000 some odd miles on it. She was not happy.
Love the technique of using the blow-up photos!
I used to work on equipment that had zero volts to represent a logic 1, this was so that you could connect two lines together to form an OR gate. It was known as a wired OR, and relied on the fact that zero volts would drag the +ve logic 0 down (up?) to a logic 1 (0v). It got really confusing as the newer equipment that came along used ICs and +ve represented a logic 1.
'-ve logic' is still very common. Ahh.. The days of 7401s and 7407s with open collector output for 'wired OR' (or NAND) depending which logic level you wanted 😁.
@@ColinDyckes In the early 1970s I worked on some Burroughs equipment that used quad dual input NAND gate ICs for all logic in the machine, bistables, registers, the lot.
I later moved to ICL and then to MDS where I was trained on equipment that used TTL when TTL really meant transistors! I'm currently building some kit, which for old time's sake uses transistors and diodes, not a chip in sight, let alone a microcontroller!
@@rogerbarton497 Ditto, and ICL as well! Letchworth, Stevenage, Bracknell and Reading.
or it was on lease. some have yearly mileage limits and if you go over them you pay more
except the bank leasing would be a deeper check then just looking at the dash. Even if at turn in the dash looks OK, once they really check you'll be on the hook.
I’ve designed Soooooooo many PCBs with STM32 chips. That guy has a dual CAN controller so the firmware is just intercepts the traffic and sends it back out with the data overwritten. Very clever!
typically all the signals are sent from the ecu to the dashboard, because the the dashboard is a display, and the ecu can light up certain lights. on ones that have a display, they can have a second board to handle running it that talks to the ecu